We’ll confess to singing along to a Stevie Nicks song or doing an air guitar solo when no one’s looking. But some people take their lip syncing to the next level. More than 200 million people – 65 million of them in the U.S. – downloaded the Musical.ly app. It gave users a platform to create videos and synchronize them with popular songs. It also allowed users to interact directly with each other. That may sound like fun for aficionados, but it raises concerns for parents, especially given public reports that adults have used the Musical.ly app to contact children. The FTC alleges Musical.ly violated the Children’s Online Privacy Protection Rule by collecting personal information from kids without parental consent. The $5.7 million civil penalty is the FTC’s largest ever under COPPA.
To register for the Musical.ly app, users provided their email address, phone number, full name, username, a profile picture, and a short bio. For the first three years, Musical.ly didn’t ask for the user’s age. Since July 2017, the company has asked about age and prevents people who say they’re under 13 from creating accounts. But Musical.ly didn’t go back and request age information for people who already had accounts.
The online library for Musical.ly – now known as TikTok – features lots of tracks popular with tweens and younger children. Once users create videos, they can share them publicly. Other users can comment and “follow” them to see more of their videos. By default, users’ accounts were set to “public,” meaning others could see their bio (which may include their age or grade in school), their profile picture, and username. Users had the option to set their accounts so that only approved followers could see their videos, but even then their bios, pictures, and usernames remained public and searchable.
By default, the app also let users send direct messages to any other user. Until October 2016, the app included a “my city” tab that gave people a list of other users within a 50-mile radius.
That’s how Musical.ly worked, so let’s turn to the operation of COPPA. The Rule applies to operators of websites and online services that: 1) are directed to children and collect personal information from them, or 2) are directed to a general audience, but have actual knowledge they’re collecting personal information from kids. If the site or service meets either definition, COPPA requires them – among other things – to get parental consent before collecting personal information from children under 13. The FTC’s complaint alleges Musical.ly was covered under both standards.
First, the FTC says Musical.ly met COPPA’s definition of a site “directed to children.” How does the agency make that determination? According to Section 312.2 of the Rule, data about audience composition is an important factor and in this case, the evidence suggested that a significant percentage of Musical.ly users were under 13. In fact, multiple press articles between 2016 and 2018 highlighted the popularity of the app among tweens and younger kids. The Rule lists additional factors like subject matter, visual content, music, and the presence of child celebrities or celebrities who appeal to kids. You’ll want to read the complaint for the details, but the FTC also cited Musical.ly song folders with titles like “Disney” (featuring music from movies like Toy Story and The Lion King) and “school” (featuring songs about school-related subjects or school-themed TV shows and movies). In addition, the complaint mentions the colorful emojis users could send to each other – cute animals, smiley faces, and the like.
Second, the complaint alleges that Musical.ly had actual knowledge the company was collecting personal information from children. A look at users’ profiles reveals that many of them gave their date of birth or grade in school. And since at least 2014, Musical.ly has received thousands of complaints from parents of kids under 13 who were registered users. In just a two-week period in September 2016, the company received over 300 complaints from Moms or Dads asking Musical.ly to delete their child’s account. Of course, under COPPA it’s not enough just to delete existing accounts. According to the FTC, Musical.ly failed to delete those kids’ videos and profiles from the company’s servers.
The complaint charges that Musical.ly violated COPPA by:
- Failing to provide notice on their site of the information they collect online from children, how they use it, and their disclosure practices,
- Failing to provide direct notice to parents,
- Failing to get consent from parents before collecting personal information from children,
- Failing to honor parents’ requests to delete personal information collected from kids, and
- Retaining that personal information for longer than reasonably necessary.
In addition to the $5.7 million civil penalty, the company has agreed to change their practices to ensure COPPA compliance.
The primary message for other sites and services is to think twice before concluding “We’re not covered by COPPA.” According to COPPA, whether a company intends – or doesn’t intend – to have a site directed to kids isn’t what controls the analysis. Instead, the FTC will look to the site’s look and feel, as well as evidence that the company had actual knowledge that users are under 13. Visit the Business Center’s Children’s Privacy page for resources to help streamline your responsibilities under COPPA.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
In reply to The Children's Advertising by Lee Peeler
Many thanks to CARU for the great work they do in fostering effective self-regulation.
In reply to My identity has been by Elizabeth Dian…
You can report identity theft and get a recovery plan at IdentityTheft.gov.
You can report what happened and get a personal recovery plan. You can create an account, get help with each step in the recovery and pdate your plan after you contact the businesses that were affected by the theft. The site has letters and forms you can send to credit reporting companies, businesses, debt collectors and others.